NSA spying could mean U.S. tech companies lose international business

Domestic Internet firms face political, economic consequences for breach of trust over the NSA surveillance controversy.

It is not just personal information that is being swept into the National Security Agency's (NSA) massive databases. It is corporate data as well. And that could cause some serious international blowback for the U.S., both politically and economically.

According to a number of security experts, the U.S. surveillance state --exposed more officially than ever before by former NSA consultant Edward Snowden -- will likely undercut the U.S.'s role and influence in Internet governance.

[NSA spying controversy: Much ado about nothing new?]

Ron Deibert, a professor of political science at the University of Toronto, wrote last week on the CNN website that, "there are unintended consequences of the NSA scandal that will undermine U.S. foreign policy interests -- in particular, the 'Internet Freedom' agenda espoused by the U.S. State Department and its allies.

"The revelations that have emerged will undoubtedly trigger a reaction abroad as policymakers and ordinary users realize the huge disadvantages of their dependence on U.S.-controlled networks in social media, cloud computing, and telecommunications, and of the formidable resources that are deployed by U.S. national security agencies to mine and monitor those networks," Deibert wrote.

Bruce Schneier, CTO at BT and author/security guru, agreed. He linked to Deibert's article on his own blog, adding, "Now, when countries like Russia and Iran say the U.S. is simply too untrustworthy to manage the Internet, no one will be able to argue."

"We can't fight for Internet freedom around the world, then turn around and destroy it back home."

The revelations also pose an economic problem for U.S. cloud providers on the international market. Richard Stiennon, chief research analyst at IT-Harvest, wrote in Forbes that this kind of, "vast foreign and domestic spying & threatens the global competitiveness of U.S. tech companies."

[Intellectual property protection: The basics]

Stiennon wrote that since 2006, when making presentations outside the U.S., he has always been asked if the U.S. is reading foreigners' email.

"Answers that allude to 'protections from abuse' and 'oversight' now seem specious," he wrote. "From this week forward a universal suspicion has transformed into acknowledged fact. Yes, U.S. government agencies are reading email, tracking phone calls, and monitoring all communications."

It would seem that any savvy cloud customers in other parts of the world would have already been aware for years of the NSA's data collection. Former longtime NSA employee William Binney has been talking about it for more than a decade, the agency's capabilities have been widely reported in the mainstream and technology press and even members of Congress have hinted at it at least since 2009.

But Brian Honan, of BH consulting and also a board member of the UK & Ireland chapter of the Cloud Security Alliance, said that, "reassurances from both the providers and U.S. government officials may have allayed to some extent some of those concerns. However the recent revelations about the alleged extent of the surveillance have undermined completely those reassurances."

The "denials" coming from cloud providers are not much reassurance either. Kerri Catalozzi, speaking for Amazon, said by email that the company "is not participating in PRISM (an NSA program that reportedly has agreements to collect data from nine Internet companies)."

[5 things known and alleged about NSA surveillance]

That is likely true: Amazon was not among the companies listed in a leaked PowerPoint presentation. But nonparticipation in PRISM offers no guarantee that data isn't being collected.

The response was similar from Salesforce.com -- spokesman Chi Hea Cho emailed a statement that, "nothing is more important to salesforce.com than the privacy and security of our customers' data. We are not involved in the PRISM program, and we do not provide any governments with direct access to Salesforce servers."

But "direct access" does not mean no access. As a number of analysts have pointed out, the data could come indirectly to the government, through a third party.

Honan said European companies using services from U.S. Internet companies must now be concerned about whether they are in breach of EU Data Protection laws. Those laws require companies to, "ensure only authorized personnel have access to any personal information of individuals. The fact that U.S. government agencies may be accessing this data could result in many European organizations being unable to satisfy their data protection obligations," he said.

While U.S. cloud providers are not saying if they are having trouble either gaining or holding international customers, Honan said he has talked with cloud providers based in the EU, "and they have told me they have seen an increase in sales inquiries."

Stiennon wrote that there has been a level of distrust for a while.

"Email archiving services such as ProofPoint could not sell to even Canadian customers without building local infrastructure. Even establishing separate data centers in Canada and Europe is not enough to assure customers that their data would forever stay out of the grasp of U.S. intelligence services."

The recent revelations, he said, will only make things more difficult.

In an interview, Stiennon said the only way for U.S. cloud providers to bridge the current trust gap is to, "adjust their delivery model to a zero-trust mode. In this model the provider encrypts everything and does not even have the keys. Those are left to the customer to store and manage."

And that, he noted, will only work for, "pure cloud providers. Google and Facebook have models that need access to that data to tailor ad delivery."

Politically, he said, it will be a very tough sell.

"It would take a rollback of the surveillance state to deflect this avalanche. Once trust is betrayed, it takes a complete reversal of course to get it back. The U.S. would have to become the privacy state, and demonstrate the absence of surveillance."

Honan said he knows U.S. Internet companies have to comply with legal requests for information from the government. But, he said they could reassure their international clients by, "being more transparent regarding the requests they get from the government agencies. As an industry these companies should also consider lobbying the government on how to balance the need of their clients with the security demands of the government."

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesNational Security Agencysecuritygovernmentprivacy

More about Amazon Web ServicesBT AustralasiaCNNEUFacebookGoogleNational Security AgencyNSASalesforce.com

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place